What is the best way to ensure that a user can access a specific record? I have a page that displays account details. The URL of that account page has an ID in it for that specific account. Some users can see accounts that belong to their area, but not other areas. What's the best way to control which account details a user can access if they put an ID of an account not in their area into the URL?
Related
I'm working on setting up a product that can be used by multiple companies. These companies would authenticate via a Federated Identity (Google and Microsoft). Once logged in, they will be presented with a dashboard that has data tied to their account.
My current thinking is:
User enters their company email
An API is triggered that will lookup the identity provider given the company email's domain (EX: "#someCompany.com")
API will respond with a redirect URL to SSO.
Should I be making a User Pool for every company that registers with my product? Or should I be creating Groups within a single User Pool for each company?
Background:
I am making an app which will be a public app and will put it on Shopify App Store.
I have completed with the OAuth process and I get access_token and scope in return which is good. I can now use this token and send API requests with X-Shopify-Access-Token in the header.
But, for my database design, I need the user details as well, like user ID or email ID for example. However, I read the docs(scroll up a bit) and it suggested in the caution section that email address is not reliable to identify the user(merchant). I also gave a read on access modes which is online and offline, and in my case, I would need an offline access token.
Question:
How would I get a User ID from Shopify during app install so that I could uniquely identify each merchant?
One of the reasons I would want to have this is because a single merchant could have(or see) multiple stores linked with my app and I wish to show them details for each store under a single user account.
When a merchant installs your App, during the oAuth flow, you are presented with the shop name. That is unique, and will always be present for incoming calls to your App from Shopify.
You do not mess around with email, or user ID's. You simply persist the access token you got in your data store, with the shop name.
If you wanted to group by a merchant name, you know each Shop object provides the shop owner details. So you can always dig those out and store them along with the shop name, allowing you to show one merchant, many stores.
In my website, I want to track my visitor who are searching for product after logged in. Can i get those list.
I read this Is it possible to use Google Analytics to track single user account? But I can get login id of that user with detail what he/she searched for?
I am currently writing an application as the owner of a particular venue. I want to be able to programmatically reach out to a user who checks in to the location via the contact information associated with their Foursquare account (if they've chosen to make that information public).
Based on the sample code provided with the Real-Time API, it doesn't look like contact information is returned here. Is there a way to crawl to the necessary info from the info returned via this endpoint?
You generally ought to actually be able to get the email from the actual push API response. Inside the user object should be a contact object, and the email field will be populated with their email. You can always also fall back to making a user details call to retrieve a user's contact info once you know their user ID.
However, please keep in mind our API platform policy when it comes to situations like this. From the policy: "You must not take any action that constitutes unauthorized or unsolicited advertising, junk or bulk e-mail."
i am currently working on an app, that requires people to use their facebook profile to sign in. My question is: is there any way for non-individuals to be able to sign in? I mean group pages, business pages etc, because i need to import their profile picture and their names. Maybe any other way/idea to import them.
That would really help my case.
No. All Facebook accounts are supposed to belong to users. Users can be admins of groups and business pages, but there is no way to directly login to one of these without first logging in to their user account.
Businesses and groups sometimes incorrectly register themselves as users. There is no way to filter these out.
That said, if you make a call to https://graph.facebook.com/ID?fields=name,picture where ID is from a user, group or business page, all of these return a name and profile picture.